NetFlash

The Russian hacking group, known as Turla, is making headlines once again. The Turla hacking group appears to be targeting Armenian government officials in their latest campaign. The hacking group has infiltrated two websites that belong to a well-known Armenian organization and two Armenian government websites reportedly. The Russian group uses these compromised pages to launch watering hole attacks. This means that the attackers are distributing bogus Adobe Flash Player updates and attempting to trick the politicians and other officials into downloading the fake update.

During this latest campaign, the Turla group appears to be using two hacking tools from their arsenal – PyFlash and Netflash. The Netflash hacking tool is a Trojan downloader that serves as the first-stage payload in Turla’s latest campaign. This Trojan downloader is written in the ‘.NET’ programming language, hence the name Netflash.

The Netflash Trojan downloader appears to be distributed along with the bogus Adobe Flash Player update. This means that both tools are likely to be present on the target’s system if they fall for the trickery of the Turla hacking group. Upon running the fake Adobe Flash Player update, the payload of the Netflash hacking tool will be planted in the %TEMP% folder. The threatening payload carries the name ‘winhost.exe.’

Next, the Adobe Flash installer will be launched, giving the users the impression that there is nothing wrong going on on their systems. The Adobe Flash Player installer is genuine and keeps the users busy while the Netflash Trojan downloader is working in the background silently. Once the Netflash Trojan is launched, it will gain persistence on the compromised system making sure that it will run every time the user reboots the computer. After completing this task, the Netflash downloader will establish a connection with the attackers’ C&C (Command & Control) server and fetch the payload of an additional threat. According to cybersecurity researchers, the Turla hacking group appears only to be using the Netflash Trojan downloader in unison with the PyFlash secondary payload.

However, the Netflash Trojan downloader version studied by malware analysts dates to August 2019. Therefore, it is possible that the Turla hacking group has used this threat in other campaigns before this.